P
US9047477B2ActiveUtilityPatentIndex 27

Distributed key encryption in servers

Assignee: NUNEZ-TEJERINA FABIANPriority: May 26, 2009Filed: May 26, 2009Granted: Jun 2, 2015
Est. expiryMay 26, 2029(~2.9 yrs left)· nominal 20-yr term from priority
Inventors:NUNEZ-TEJERINA FABIANKAY JEFFREY BFRUTH ROBERT CPALAVALLI NAVEEN ACHINTA RAMESHACAR TOLGA
H04L 9/3263G06F 21/6209H04L 9/006H04L 63/0823
27
PatentIndex Score
0
Cited by
19
References
15
Claims

Abstract

Architecture that stores specific passwords on behalf of users, and encrypts the passwords using encryption keys managed by a distributed key management system. The encryption keys are stored in a directory service (e.g., hierarchical) in an area that is inaccessible by selected entities (e.g., administrative users) having superior permissions such as supervisory administrators, but accessible to the account components that need to access the unencrypted passwords. The distributed key management system makes the encryption key stored in the directory service available to all hardware/software components that need the key to encrypt or decrypt the passwords.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computing device to provide data protection with distributed key management, the computing device comprising:
 a memory, 
 a processor coupled to the memory, the processor executing an application in conjunction with instructions stored in the memory, wherein the application includes:
 a security component configured to:
 detect an input of access information to access an external service; 
 retrieve an encryption key associated with the access information from a global settings location of a tree structure of a shared information infrastructure, wherein the encryption key corresponds to a user account associated with the access information; and 
 encrypt the access information using the encryption key; 
 
 a management component configured to:
 store the access information that is encrypted at a privileged location of the user account; 
 provide a global administrator an access to the global settings location; and 
 prevent a peer administrator associated with the user account an access to the global settings location; 
 
 a storage component configured to:
 store the encryption key associated with the access information at the global settings location of the tree structure of the shared information infrastructure. 
 
 
 
     
     
       2. The computing device of  claim 1 , wherein the security component is further configured to:
 receive the access information that is encrypted from a system component that requests an access to the external service; and 
 retrieve the encryption key that corresponds to the access information that is encrypted from the global settings location of the tree structure of the shared information infrastructure. 
 
     
     
       3. The computing device of  claim 2 , wherein the security component is further configured to:
 decrypt the access information that is encrypted with the encryption key; and 
 provide an access to the external service using the access information that is decrypted. 
 
     
     
       4. The computing device of  claim 2 , wherein the system component includes a mailbox aggregator. 
     
     
       5. The computing device  claim 1 , wherein the security component is further configured to:
 detect one or more passwords associated with the user account as stored within the access information; and 
 provide the global administrator an access to the access information. 
 
     
     
       6. The computing device of  claim 1 , wherein the security component is further configured to:
 detect one or more passwords associated with the user account as stored within the access information; and 
 deny the peer administrator an access to the access information. 
 
     
     
       7. The computing device of  claim 1 , wherein the security component is further configured to:
 provide an access to the external service using the access information, wherein the external service includes one or more of: a user message account service, a business service, and a communication service. 
 
     
     
       8. The computing device of  claim 1 , wherein the security component is further configured to:
 detect the peer administrator as having a supervisory permission over the user account; and 
 deny the peer administrator an access to the encryption key. 
 
     
     
       9. A system to provide data protection with distributed key management, the system comprising:
 an external server that provides an external service; 
 a computing device that provides an application to manage data protection, the computing device comprising:
 a memory, 
 a processor coupled to the memory, the processor executing the application in conjunction with instructions stored in the memory, wherein the application is configured to:
 store an encryption key associated with an access information that corresponds to a user account at a global settings location of a tree structure of a shared information infrastructure; 
 detect an input of the access information to access an external service, wherein the access information includes one or more passwords associated with the user account; 
 retrieve the encryption key associated with the access information from the global settings location of the tree structure of the shared information infrastructure, wherein the encryption key corresponds to the user account associated with the access information; 
 encrypt the access information using the encryption key; 
 store the access information that is encrypted at a privileged location of the user account; 
 provide a global administrator an access to the global settings location; and 
 prevent a peer administrator associated with the user account an access to the global settings location. 
 
 
 
     
     
       10. The system of  claim 9 , wherein the application is further configured to:
 receive the access information that is encrypted from a system component that requests an access to the external service, wherein the system component includes a mail aggregator; and 
 retrieve the encryption key that corresponds to the access information that is encrypted from the global settings location of the tree structure of the shared information infrastructure. 
 
     
     
       11. The system of  claim 10 , wherein the application is further configured to:
 decrypt the access information that is encrypted using the encryption key; and 
 transmit the access information that is decrypted to the system component to allow the system component an access to the external service. 
 
     
     
       12. A method executed on a computing device to provide data protection with distributed key management, the method comprising:
 storing an encryption key associated with an access information that corresponds to a user account at a global settings location of a tree structure of a shared information infrastructure; 
 detecting an input of the access information to access an external service, wherein the access information includes one or more passwords associated with the user account; 
 retrieving the encryption key associated with the access information from the global settings location of the tree structure of the shared information infrastructure, wherein the encryption key corresponds to the user account associated with the access information; 
 encrypting the access information using the encryption key; 
 storing the access information that is encrypted in a privileged location of the user account; 
 providing a global administrator an access to the global settings location; and 
 preventing a peer administrator associated with the user account an access to the global settings location. 
 
     
     
       13. The method of  claim 12 , further comprising:
 retrieving the access information that is encrypted from the privileged location of the user account, in response to a request to access the external service by a system component; 
 retrieving the encryption key from the global settings location of the tree structure of the shared information infrastructure; 
 decrypting the access information that is encrypted using the encryption key; and 
 transmitting the access information that is decrypted to allow an access to the external service. 
 
     
     
       14. The method of  claim 13 , wherein the system component is an email aggregator that requests the one or more passwords to receive an access to the external service. 
     
     
       15. The method of  claim 12 , further comprising:
 segregating a peer organization that includes the user account and other user accounts based on the tree structure of the shared information infrastructure and the privileged location of the user account and other privileged locations of the other user accounts.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.